Diagnostic Commands and Tools


The show and debug commands are very important for troubleshooting AAA issues on the router.

show Commands

The show commands in AAA on the router are mainly used to view the status of a user authentication success or failure, and to find the status of the NAS-to-AAA-server connection. The following are some of the important show commands that can be used with the debug commands described in the following sections.

  • show aaa servers To display information about the number of packets sent to and received from AAA servers. This command was first introduced in IOS version 12.2(6) T and integrated in IOS version 12.3(7) T.

  • show tacacs To display statistics for a TACACS+ server. This command was first introduced in IOS version 11.2.

  • show radius statistics To display the RADIUS statistics for accounting and authentication packets. This command was first introduced in IOS version 12.1(3) T.

  • show users [all] To display information about the active lines on the router. This was first introduced in IOS version 10.0.

  • show aaa user {all | unique_id} To display attributes related to an AAA session of a single user or all users. This command was first introduced in IOS version 12.2(4) T.

debug Commands

Using AAA debug commands is by far the most useful and easiest way to isolate a problem pertaining to AAA. There are specific commands for specific issues. For instance, if you run into problems with authentication, there is the option to run the basic debug command to see the authentication-related message.

The following three commands are extensively used to isolate issues with AAA:

  • debug aaa authentication Mainly used for troubleshooting AAA authentication problem.

  • debug aaa authorization Used to view the success or failure of authorization messages.

  • debug aaa accounting Used to see the debug message related to accounting issues.

Example 9-1 shows a sample output of AAA.

Example 9-1. Sample debug Output of AAA Commands

Router#debug aaa authentication Router#debug aaa authorization Router#debug aaa accounting Oct 17 02:45:30.110: AAA/BIND(0000002D): Bind i/f Oct 17 02:45:30.114: AAA/ACCT/EVENT/(0000002D): CALL START Oct 17 02:45:30.114: Getting session id for NET(0000002D) : db=821C0394 Oct 17 02:45:30.114: AAA/ACCT(00000000): add node, session 16 Oct 17 02:45:30.114: AAA/ACCT/NET(0000002D): add, count 1 Oct 17 02:45:30.114: Getting session id for NONE(0000002D) : db=821C0394 Oct 17 02:45:30.114: AAA/AUTHEN/LOGIN (0000002D): Pick method list 'default' Oct 17 02:45:36.274: AAA/AUTHOR (0000002D): Method list id=0 not configured. Ski p author Router# 

To see the communication details between the NAS and AAA server for either TACACS+ or RADIUS, run either debug tacacs or debug RADIUS which will show debug information pertaining to the protocol.

Example 9-2 shows the sample output of TACACS+ debug message.

Example 9-2. Sample Debug Output of tacacs+ Commands

[View full width]

Router#debug tacacs+ Oct 17 02:48:43.238: TPLUS: Queuing AAA Authentication request 46 for processing Oct 17 02:48:43.238: TPLUS: processing authentication start request id 46 Oct 17 02:48:43.238: TPLUS: Authentication start packet created for 46() Oct 17 02:48:43.242: TPLUS: Using server 171.69.89.217 Oct 17 02:48:43.242: TPLUS(0000002E)/0/NB_WAIT/8226E298: Started 5 sec timeout Oct 17 02:48:43.246: TPLUS(0000002E)/0/NB_WAIT: socket event 2 Oct 17 02:48:43.246: TPLUS(0000002E)/0/NB_WAIT: wrote entire 37 bytes request Oct 17 02:48:43.246: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:43.250: TPLUS(0000002E)/0/READ: Would block while reading Oct 17 02:48:43.650: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:43.654: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect 16 bytes  data) Oct 17 02:48:43.654: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:43.654: TPLUS(0000002E)/0/READ: read entire 28 bytes response Oct 17 02:48:43.654: TPLUS(0000002E)/0/8226E298: Processing the reply packet Oct 17 02:48:43.654: TPLUS: Received authen response status GET_USER (7) Oct 17 02:48:45.538: TPLUS: Queuing AAA Authentication request 46 for processing Oct 17 02:48:45.538: TPLUS: processing authentication continue request id 46 Oct 17 02:48:45.542: TPLUS: Authentication continue packet generated for 46 Oct 17 02:48:45.542: TPLUS(0000002E)/0/WRITE/821C0790: Started 5 sec timeout Oct 17 02:48:45.542: TPLUS(0000002E)/0/WRITE: wrote entire 22 bytes request Oct 17 02:48:45.966: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:45.966: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect 16 bytes  data) Oct 17 02:48:45.966: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:45.970: TPLUS(0000002E)/0/READ: read entire 28 bytes response Oct 17 02:48:45.970: TPLUS(0000002E)/0/821C0790: Processing the reply packet Oct 17 02:48:45.970: TPLUS: Received authen response status GET_PASSWORD (8) Oct 17 02:48:49.526: TPLUS: Queuing AAA Authentication request 46 for processing Oct 17 02:48:49.530: TPLUS: processing authentication continue request id 46 Oct 17 02:48:49.530: TPLUS: Authentication continue packet generated for 46 Oct 17 02:48:49.530: TPLUS(0000002E)/0/WRITE/821C0790: Started 5 sec timeout Oct 17 02:48:49.530: TPLUS(0000002E)/0/WRITE: wrote entire 25 bytes request Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: read entire 12 header bytes (expect 6 bytes data) Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: socket event 1 Oct 17 02:48:50.010: TPLUS(0000002E)/0/READ: read entire 18 bytes response Oct 17 02:48:50.010: TPLUS(0000002E)/0/821C0790: Processing the reply packet Oct 17 02:48:50.010: TPLUS: Received authen response status PASS (2) Router# 

Note

When AAA debug is running in conjunction with TACACS+ or RADIUS, separate the debug by looking for TPLUS, AAA, and RADIUS. This helps in understanding which part you are having problems with.


Troubleshooting PPP authentication issues requires you to run the debug ppp authentication and debug ppp negotiation commands, which provide details on PPP-related items. The command debug condition user username sets conditional debugging for a specific user and generates output debugs related to the user. This command is helpful in an enterprise environment for troubleshooting.



Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net